Friday, January 3, 2014

The threat of login CSRF

Login CSRF is an often overlooked web vulnerability. Developers tend to focus on securing user data and assume that users wouldn't voluntarily give up access to their accounts. Yet with login CSRF exactly this happens - attacker is giving full control of his account to the victim (of course it's a fake account). Once the victim and attacker are in the same trust domain various other attacks become possible.

Consequences can vary:

attacker can monitor victim's actions

attacker can interact with the victim without him realizing that a session swap just occured

some low severity bugs can become exploitable (e.g. an XSS in configuration page, that is visible only to the account holder)

or just google up the links, maybe you'll find some unexpired password reset links etc. that actually log you into the victim's account

To mitigate this issue don't log in users where that's not required. If it's a password reset link, only reset password, if it's an e-mail confirmation link, only confirm e-mail without loging in the user. And make sure your other login forms are CSRF protected.